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INTRODUCTION 


Have you ever wished for an army of clones to do all your thankless 
tasks and chores? Well, that fantasy is becoming a reality—at least 
on the Internet. And while they may not be actual clones, bots have 
begun doing lots of digital dirty work. 


Managing your relationship with bots—good and bad—has become an inherent part of doing business in a 
connected world. With more than half of online traffic initiated by autonomous programs, it's clear that bots 


аге a driving force of technological change, and they're here to stay. 


As bottechnology, machine learning, and Al continue to evolve, so will the threats they pose. And while 
some bots are good, many are malicious—and the cybercriminals behind them are targeting your apps. 


Preparing your organization to deal with the impact of bots on your business 15 essential to developing a 


sustainable strategy that will enable you to grow as you adapt to the new bot-enabled world. 


1 https://www.recode.net/2017/5/31/15720396/internet-traffic-bots-surpass-human-2016-mary-meeker-code-conference 


2 https://insights.dice.com/2017/07/14/digital-assistants-greater-usage-adoption/ 


OF PEOPLE WITH DIGITAL ASSISTANTS SAY IT WILL 
MAKE THEM MORE LIKELY TO BUY ADDITIONAL 
CONNECTED DEVICES.” 
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WHILE SOME BOTS АВЕ 6000, THE 6000 NEWS: 
МАМУ ARE MALICIOUS-AND THE BOT INNOVATION IMPROVES CUSTOMER EXPERIENCE 


CY BERCRIMINALS BEHIND THEM 
ARE TARGETING YOUR APPS. 
— = 


What does it mean to be human on the Internet these Designing an organizational strategy to manage 
days? Does it even matter whether you're interacting the growing bot traffic on the Internet is essential, 
with an actual person or with an autonomous because bots are getting smarter, enabled by 
program? There are many scenarios where bots are machine learning and neural network technology. 
їппигзтапзишхза! + x я 
= there to help the average consumer do what they Leading tech organizations leverage these 
want to do—in a fraction of the time it would take to autonomous programs to build more resilient 
do itthemselves. networks and to monitor and maintain operations, 


making life easier for their customers. However, 
Consider an online shopping scenario. М your 

bots also make life easier for attackers, fraudsters, 
customers already know exactly whatthey need, 

or competitors seeking to exploit weaknesses in 
there is no reason for them to navigate your site to 

software and business processes. 
find it when a helpful bot can place the order more 


efficiently for them. This is already happening, all 3 https://insights.dice.com/2017/07/14/digital-assistants-greater-usage- 
adoption/ 


over the web. 


Now think about the growing use of digital assistants, 
such as ¡OS-based Siri or an in-home version like 
Amazon's Alexa. These are also bots, and they're 
intended to make our lives easier. Іп exchange for 
the ease of automatically ordering more granola bars 
when you run out, people are giving up significant 
privacy, judging the reward of convenience to be 
more than worth the cost.? Consumer-facing sites 
that don't adapt to the new reality of a bot-centered 
world may see their market share eroded by those 


that do. 
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THE BAD NEWS: 


BOT INNOVATION ENABLES CYBERCRIME 


Just like any useful tool, bots can be co-opted by 
attackers to optimize their criminal activity. The threats 
being faced are constantly evolving—driven by a growing 
list of motivations, including direct consumer fraud, 

IP theft, long-tail profiteering, political ends, or petty 


personal grudges—and bots are doing the dirty work. 


Industries with the most potential for monetary gain 
are the hardest hit by bad bots. Airline and ticket-sales 
sites are likewise ripe for attack: they rely on visibility 
into the “look vs. book” ratio on their sites to ensure 
tickets are available for customers, but bots performing 
content scraping register as a “look” and artificially 


skew the ratio. 


DDoS 
ATTACKS 


DDOS for hire is both lucrative and highly accessible. 


Launching an hour-long DDoS attack using a cloud 
service can costas little as four dollars,* which is much 
less than the cost of mitigating it. This kind of DDoS 
attack can be used by criminals who then demand a 
ransom to turn it off, or potentially by your competitors 
looking to interfere with your business and capture 

a greater share of the market. The rise of loT botnets 
like Mirai means that criminals can easily outclass the 


defenses of most legitimate organizations.? 


INTELLECTUAL 
PROPERTY THEFT 


Cybercriminals also use bots to duplicate proprietary 
information, which can then be parsed for intellectual 
property such as videos or PDFs of printed material, email 
addresses, or usernames that are then hidden in web 
code. They also target logos or graphic elements, which 
could help an attacker design a realistic phishing site, 
thus degrading your brand and company reputation—as 


well as hurting your customer relationships. 


= RESOURCE HOARDING 
(AND RESALE) 


Bots are the perfect tools for ticket scalpers, helping 
them easily scoop up large numbers of tickets to popular 
events, which they can then resell at a premium. There 
are also automated agents like the All-in-One sneaker 
bot being used by scalpers vying to get their hands 

on the latest pair of limited-edition Yeezys—and then 


offering them to sneakerheads at exorbitant prices.® 


COMPETITIVE 
INTELLIGENCE 


With consumer goods such as airline tickets, hotel rooms, 


and other travel-related items where costs can fluctuate 


rapidly, bots can glean information from other providers 
to drive prices down and create a competitive advantage 


in the marketplace. 


ACCOUNT 
TAKEOVER 


Third parties can gain access to the details of a trusted 
user’s online accounts, and pose as a real customer. 
Once an account has been taken over, criminals can 
do anything the legitimate user could do—including 
changing account details and withdrawing funds. Bots 
automate account takeover efforts through credential 


stuffing and password spraying attacks. 


The list goes on. From malware distribution to click fraud, 
bots are being used by cybercriminals to make money, 
which has left traditional fraud investigators attempting 
to cope with an entirely new front in their battle against 


fraudulent transactions.’ 


4 https://securelist.com/the-cost-of-launching-a-ddos-attack/77784/ 


5 https://f5.com/labs/articles/threat-intelligence/ddos/ddoss-newest-minions-iot- 
devices-v1-22426 
$ https://krebsonsecurity.com/tag/bot-ad-fraud/ 


7 https://www.cnbc.com/2017/05/13/adidas-yeezy-collectors-sneakerheads-using- 
bots.html 


AFTER HACKERS GAIN ACCESS TO THE DETAILS OF А USER'S ONLINE 
ACCOUNTS, BOTS ARE USED TO AUTOMATE ACCOUNT TAKEOVER EFFORTS 
THROUGH CREDENTIAL STUFFING AND PASSWORD SPRAYING ATTACKS. 
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RECRUITING A BOT ARMY 


An example of a malicious use of bots is the coordination and operation of an automated attack on 


networked computers, such as a denial-of-service attack by a botnet. 


PHONE BOT 
THERMOSTAT 
(OR OTHER : 
CONNECTED DEVICE) 5 
1 
Auser interacts with a device, 
using a helpful bot. 
Еу 
o” 
2 3 
An attacker discovers a The malicious bot allows 
vulnerability on the device, bad actions via command 


and installs a malicious bot. and control. 


4 


The hijacked device may be linked to other 
devices to form a botnet, which can be used to 
launch many kinds of attacks. 
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OPTIMIZING BUSINESS INTELLIGENCE 
IN THE AGE OF BOTS 


With an understanding of the opportunities and threats 
posed by these digital mercenaries, it's essential to 
delve deeper and analyze the ratio of bots to humans 
interacting with their sites and applications. This may 
require an investment in tools and services that have the 
requisite intelligence to identify and distinguish bot and 
human traffic, but it will give you a good idea of how much 
money you're spending servicing the requests of other 
machines. Implementing tools such as web application 
firewalls (WAFs) that offer advanced bot management 
capabilities can help alleviate costs associated with 


serving bots. 


However, overly aggressive bot deflection could have 

a negative impact on your customers' ability to interact 
with your services. If they have to spend a lot of time 

and effort proving that they are human, they may leave 

in frustration and try their luck with your competitor. 
Also, failing to facilitate “good” bots like digital assistants 
and search engine indexers for Google, Bing, etc., could 
result in your services not being available or visible to 


potential customers. 


Keep in mind that successful bot management will 
result in some level of impact to your site statistics 
(like page views), and data mining will likely look 
somewhat different—but be more accurate—since you 
will be blocking some traffic. However, being aware 
and prepared for these changes will help give you the 


confidence that you're still serving your human customers. 


HOW BOTS AFFECT YOUR 
CURRENT SECURITY STRATEGY 


With the explosion of autonomous programs on the 
Internet—both malicious апа benign—it’s necessary 
to rethink existing strategies for keeping applications 


and data safe. 


While traditional IP intelligence and reputation-based 
filtering can help, these technologies need to evolve 

to keep pace with smarter and smarter bots. Looking 
forward, the business community should consider 
alternatives to IP reputation—including evaluating 
longer-term reputation associated with cryptographically 
verifiable identities—to better facilitate bot detection and 


management. 


ADVANCES IN Al TECHNOLOGY 
MEAN THAT BOTS COULD BEGIN 
USING APPLICATIONS THE WAY 
HUMANS DO. 


Advances in Al technology mean that bots could begin 
using applications the way humans do, which could 
hinder efforts to identify them based on behavioral 

traits such as session and workflow profiling. Some bots 
are even human enabled, meaning they can outsource 
certain types of tasks (like solving CAPTCHA challenges) 


to humans when those tasks are too difficult for them. 


Command-and-control systems are evolving, too. 
Cybercriminals have begun employing steganography 
techniques to relay commands hidden within images 
posted to public forums and social networks, a process 
that makes bot-enabled malware traffic very difficult 

or even impossible to detect. Consider the novel (but 
probably already imitated) case of hackers testing a piece 
of malware and hiding their commands in comments on 


Britney Spears's Instagram account.’ 


8 http://gizmodo.com/russian-hackers-testing-malware-with-britney-spearss- 


in-1795912325 
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IF BLOCKING ALL BOTS IS NOT AN OPTION, HOW CAN YOU 
DISTINGUISH BETWEEN DIFFERENT KINDS ОҒ BOTS-AND BLOCK 
THE ONES THAT ARE CAUSING DAMAGE TO YOUR BUSINESS? 
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SECURITY NOW: 
FIGHTING THE BOT BATTLE ON МАМҮ FRONTS 


If blocking all bots is not an option, how сап you best 


distinguish between different kinds of bots—and block the 


malicious ones from causing damage to your business? 


There are no quick solutions that make it easy to 


com 
intel 
long 


muc 


prehensively deal with the bot challenge, but an 
igence-enabled, defense-in-depth strategy can go a 
way toward facilitating the good bots. Implement as 


h passive inspection as you can to minimize the impact 


on the application by starting with signatures, DNS checks, 


and 


to id 


browser capabilities. Then move into fingerprinting 


entify beyond IP addresses. You can also employ a 


solution that looks at attributes like OS, screen size and 


colo 


surfi 


r depth, and time zone in addition to non-human 


ng patterns. 


HERE ARE SOME STEPS YOU CAN TAKE 


Use identity and reputation to help classify and prioritize bot vs. human traffic. 


Create bot “acceptable use” policies to make it easier to interact with and service the benign 


bots, as well as manage their impact on your services. 


Review and bolster business process to more efficiently deal with fraud-related problems, 


making your organization more secure, and encourage fraudsters to move on to easier targets. 


Employ actionable threat intelligence to determine the likelihood of being attacked, and prioritize 


your response. 


Deploy a full-featured, flexible WAF to reduce and block unwanted traffic with capabilities such 
as proactive bot defense, headless browser detection, form and field-level encryption, layer 7 


DoS mitigation, input sanitization, and behavioral analysis. 


Use traffic management tools that employ machine learning such as your WAF to quickly build 


and implement mitigations that help you address new and evolving threats. 


AUTOMATION'S RISING TIDE: HOW TO MANAGE BOTS ІМ TODAY'S WORLD 


CONCLUSION 22 ANINTELLIGENCE-ENABLED, 


DEFENSE-IN-DEPTH STRATEGY 
CAN FACILITATE THE GOOD 


NG T 


Bots are changing life as we know it online. And while it’s tempting to № BOTS, WHI! 
concentrate on the multitude of malicious bots roaming the Internet, 3 
organizations should also be mindful of the opportunities these autonomous 


programs present. 


By developing a comprehensive, flexible strategy to address the impact of 
bots on your business, you can protect your applications and your data while 
preparing your organization for sustained growth. 


For more information about application protection, visit f5.com/bots 


® 


THINK APP SECURITY FIRST 


Always-on, always-connected apps can help power and transform your 
business—but they can also act as gateways to the data beyond the protections of 
your firewalls. With most attacks happening at the app level, protecting the capabilities 
that drive your business means protecting the apps that make them happen. 


Find more security resources at f5.com/solutions 
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